Configuring Cisco ASA VPN on Qubes 4.0 with openconnect

I have rewritten my VPN guide for Qubes 4.0, since my old post from 3.2, didn’t work out of the box and some supposed solutions on the web, didn’t sit well with me. The above link was too much hassle for me, so I chose to investigate how I can make a guide like the last one, just for Qubes 4.0.

Here it is, although the changes are few:

Create your vpn appVM, based on your preferred fedora template:

Add the ‘network-manager’  as a service :

Tur on the AppVM, and when the network icon appears, add the vpn connection:

Select the OpenConnect type:

Insert FQDN in the gateway section and save.

Start the VPN connection:

Type yur password and the connection will be established and your icon look like this:

Cloning fedora-26 to fedora-27 template Qubes 3.2

UPDATE: Qubes officially have support for Fedora-27 now:

and fedora-28

————————————–

I suddenly got a message that there are new updates to fedora-26 and those updates was the release of a fedora-27.

Sadly, there is no qubes fedora-27 template :

so I think we will have to follow the guide used in fedora-25 -> fedora-26 and see if we can use that for fedora-26 -> fedora-27 (and probably 28 also…):

clone the VM

prepare the new template and start gnome-terminal to configure the new release and run updates

See the error, showing there’s missing fc27 repository in qubes 3.2.

disable all qubes repositories and update to fedora 27 in the TemplateVM and select 26 hoping the differences are not too many ( list here).

I think it’s better to use the fedora-26 qubes repo, from Qubes 3.2 on fedora-27, than  trying the Qubes 4.0 fc27 repo, but I have no actual knowledge backing it up. Funny that Qubes 4.0 has a fc28, when it hasn’t been released properly yet. That is amazing 🙂 Great work, Qubes-team. (I couldn’t get it to work on 4.0, though)

Change fc$releasever in the repo-file to fc26, before the dnf update, and run it:

After applying updates, shut down the VM and clean up the files in dom0:

And voilá. The TemplateVM is ready to go, without any warranties, but it seems with KeePassXC 2.3.1 instead of 2.2.4, as an example (Better browser integration :).

And with Fedora 28 in beta, it might be a good idea to do the above again, just with fedora 28 and qubes fedora 26 repository.

GnuPG2 in thunderbird with Enigmail on Qubes 3.2

Let’s start generating some keys that do not expire. We can always revoke them, if neccessary instead. No need for expiration, if they are kept secure. All of this activity should be performed in ‘vault’, so the below is just for educational remembrance. Remember to create a revocation key that you put somewhere safe, just in case your machine get’s stolen or breached:

[user@untrusted ~]$ gpg2 –full-generate-key

Enter the passphrase for the keys, when done typing infomation.

The following is just for showing that we need to move the mouse, etc. to generate random data. It’s over, literally, in a second.

Get the fingerprint of the key:

[user@untrusted ~]$ gpg2 –fingerprint

So now we have a private and a public key stored in ~/.gnupg/

Be sure to ulpad to keyservers, if you are to use it to communicate with strangers.(searchable):

$ gpg2 –keyserver keys.gnupg.net –send <keyid>

Also maybe send to pgp.mit.edu and subkeys.pgp.net or whomever seems sensible.

Remember to generate the revoke certificate, just in case 🙂

$ gpg2 –output revoke.asc –gen-revoke  <keyname>

And if the stuff gets stolen, breached or whatever, you can revoke it locally with an import:

$ gpg2 –import revoke.asc

And remote revoke it by doing the following on all keyservers you submitted to

$ gpg2 –keyserver hkp://pgp.mit.edu –revoke <keyid>

We can use gpg2 to encrypt, sign and decrypt messages, but if we wan’t to use enigmail in thunderbird, we need to do the following:

Start thunderbird:

[user@untrusted ~]$ thunderbird

After setting up the mail account, configure the enigmail plugin, if we are comfortable using that:

Select the fast and easy setup…

It looks in the users .gnupg directory and asks if it’s ok, and I guess, yes.

Now, we can start signing and encryping messages 🙂

#deletefacebook is step 1 in privacy

Please #deletefacebook

If this story has any meaning to you, a deletion of your facebook profile is the way to go. You an download your data for a preview and to get shocked or comforted, and the link to salvation is here .

My old deacivated facebook was 18mb, including 2 videos of approximately 9,8MB, so not a big deal. But some private conversations, was there, of course.

And now off to instagram, twitter, etc. Off the grid it is the only way to go, unless we have other PAID services to use, so WE are not the product. This breach of confidence is a bit too much.

And if people talk about BigBrother, and are angry about their government  watching them, but freely gives everything they do to Google, youtube, facebook et al, ignore them.  They must be stupid.

exFAT on sys-usb on Qubes-OS 3.2 (Sony RX100V picture offloading)

Red Hat does NOT support exFAT, due to Microsoft license restrictions(rumor says), so therefore SDXC cards above 32GB is a nogo.

Debian has support though, so change your sys-usb template to run on debian(greyed out in picture, because machine is running):

You have to reselect the terminal in the tab “Applications”, since the app and location isn’t the same. But then you can mount the device properly:

Voilá:

Then copy the files(or move or whatever) to the machine of your choice to manipulate or store them for viewing and backup:

And wait for it to finish …

Here they are:

If you moved them, you don’t have to clean your memory card, but I just wan’t to be sure all formats are ok, before deleting anything ;

Qubes 3.2 – Dom0 updates broken

The following error, updating dom0 :

  • tar: /var/lib/qubes/dom0-updates: Cannot open: No such file or directory
    tar: Error is not recoverable: exiting now
    Dom0 updates dir does not exists: /var/lib/qubes/dom0-updates

Seems to be fixed with the following commands in the template used by your updateVM (my case whonix-gw, which is gateway for sys-whonix updateVM:

sudo mkdir /var/lib/qubes/dom0-updates
sudo chown user:user /var/lib/qubes/dom0-updates

Restarting the updateVM is needed for the VM to reload with the correct setup.

Reference: https://github.com/QubesOS/qubes-issues/issues/3620

Connecting to Cisco ASA VPN on Qubes 3.2 with openconnect

OpenConnect on Qubes 3.2. Using a vpn ProxyVM to connect to Cisco ASA VPN .

Create a new vpn ProxyVM using fedora-26 template:

Due to a bug in software from Fedora 25 and later, you have to install a ‘NetworkManager-openconnect-gnome’ package, (which is not in the template by default) or you will get an error creating the VPN Connection in vpn:

So install the package:

Create the Openconnect connection without errors:

Configure the site:

Type your username and password, when connecting, and you’re good to go.  This also supports 2FA.

When starting the ProxyVM, the extra network icon appears in the upper right corner and you can use it to connect. Very neat, indeed.

VMware Horizon View Client on Qubes 3.2

Start the selected TemplateVM (I selected fedora-26, since it’s default in Qubes). Clone it if you want.

A prerequisite is the Libxxs shared object, but here was provided a solution for installing it i Fedora.

So, since this is a prerequisite for the VMware Horizon View client, install it now:

Answering yes to any questions.

Start the terminal in  and copy the download link from a browser (I try to minimize the use of direct internet access in templates). Download the client.

make the file executable and Install the client(remember sudo ;):

Obviously select yes:

Choose whatever your heart desires:

Await the copying of files…

 Choose scan to see if everything is in order:

Chose close and start the client:

Begin configuring your environment:

UPDATE Thursday 19 July:

With newer client I exprienced black screen when logging on to VDI vmware horizon, but disabling H.264  helped.

You can also start vmware-view with the following to avoid black screen:

# vmware-view –enableNla

Assign USB-disk to VM in Qubes4.0RC4

Qubes has a new graphical feature that enables you to attach a USB device to your VM and then mount it on the VM

The above “work” was already selected and ready for unmounting. Lets go to the VM and list the added disk and mount it:

If in doubt which disk is which, deattach it in Qubes Manager and fdisk -l again to see what’s missing.

Ordering a Purism Librem 13v2 to run Qubes 4.0RC4

Privacy has increasingly become a worry for me, and with big corporations selling your data like candy, it seems like a good idea to go somewhat under the radar. Not just by not using big corps “free” services, but also protect oneself again maliciousness from evil doers, due to holes in all code made in the concept of “time-to-market” instead of security in mind.

And how do you secure yourself from Trojans, and all the other stuff, without reading every instruction on the internet about issues and how to counteract them?

You can tape your camera, run antivirus, avoid clicking this and that, but isn’t there something completely wrong with programs, if a single click can infect your computer without authorization, and all your phone’s data can be sold to the highest bidder, because you are not in charge of your data anymore. The world is as insecure as it gets.

A long time ago I abandoned facebook and I need to take a step further. I had this romantic dream of kill switches that disables bluetooth, microphones and camera, giving me the controls back, instead of being a possible victim of Trojans en mass, etc. And the idea of a browser with a bug, that didn’t put my harddrive accessible to the internet. Kill switches took me to purism and compartmentalization took me to Qubes.

A match made in heaven ! 🙂

So installing Qubes 3.2 on my lenovo yoga 2 Pro, was step 1 and ordering a Purism Librem5 phone was step 2. After ordering the phone (Librem 5), I also ordered the Librem 13v2, with Qubes, with the latest hardware, so I could run Qubes 4.0, when it was released.

This is the story of how my Purism Librem13v2 was a challenge. And the story isn’t over yet.

On the 22nd of November I ordered my Librem13v2, anticipated shipping a few weeks later.

An expensive buy, but I was in the mood for a long term relationship, with Purism. NVMe disk and Qubes. A bit overpriced you might say. That’s another story. NVMe 512GB here is $330 retail, so yes.

The shipping update on the 26th of November was promising:

  • Hi Max,
  • We received a new batch of Librem 13 a few days ago. We’ll start shipping them in a few days. Since your order is fairly recent, it will probably be shipped around mid December.
  • Best regards

Mid December. Sounds good to me. Then maybe I can get it as a christmas present?

  • Hi Max,
  • Unfortunately, not. Your order includes a TPM add-on and those orders will be shipped in the first half of January. We received a lot of requests for TPM, so we needed more time than initially planned to modify all those orders.
  • Best regards

Damn. My christmas present was delayed. Well, the thing is worth waiting for :). Right? Half through January it was still awaiting shipment….

Hi Max,

We’re trying very hard to fulfill all orders in a timely manner and have hired additional staff. We’ll get to your order as fast as possible, probably in the next two-three weeks.

Thank you for your patience.

Best regards

Ok, now i’m getting sad. over 2 whole months before my order get’s shipped.  Well, better late than never.

On the 3rd of February, they shipped the item…. Well, they have notified USPS that there was an Item to be send, but shipped? No, not yet.

on the 6th I received this:

  • Hi Max,
  • USPS still didn’t picked up the package. You’ll probably see an update in the next 12-24 hours.
  • Best regards

Super. Well. Within  a few days, the package came to Denmark. Getting held up in Customs and I was fined 3600DKK in taxes. That’s a bit more than $600.

I better love this privacy thing. Bottom line is expensive kill switches 🙂

Well, guess what. No USB stick.. The reply was:

  • Hi Max,
  • We don’t have USB flash drives on stock at the moment. We’ll send it separately in about two weeks.
  • Best regards

Thank you very much. Well, I can wait. Let’s try this PureOS out.

The install wen’t almost without issues. The touchpad didn’t work. Known issue I was told:

  • Hi Max,
  • Yes, that’s a known problem. We’re working on a fix.
  • Best regards

Well, the install finished and the touchpad worked. Now, let’s see what this PureOS is all about. Wauw. This was one of the best, simple, beautiful, Linux distributions I have ever seen. With encryption, privacy and moderate security as default. Qubes is a bit much, and PureOS seems like the OS for me. So I decided then that PureOS  should be my primary personal VM of choice in Qubes, of course 🙂

Well, Qubes 3.2 didn’t install very well, due to known issues. 4.0 couldn’t get installed because of other issues with CoreBoot 4.7 . My Librem 13v2 is shipped with Coreboot 4.6 which does not support Qubes 4.0.

So I had bought a laptop that worked barely with 3.2 (My restored Kali VM doesn’t work and the boot loader fail) and not at all with 4.0. The whole reason for the purchase, was to get it running Qubes-OS 4.0.

Well, the Purism and Coreboot team worked hard, and it seems that the early announcement, might soon get to be a real announcement that is not just a statement, but an actual usable announcement with a guide to get your brick working. Right now, it’s still without a proper guide.

Soon I hope. Soon.

But when trying to test my poor Qubes 3.2 installation, the fan breaks down, and starts a rattling noise.

Not happy about it, the support gives me a choice of sending it overseas back to Purism or send a spare to me.

  • Hi Max,
  • There’s no need for a video. We had a similar case, where the noise would occur from time to time, and it was coming from the fan. Could you try to bring the bottom of the laptop near your ear when you hear the noise again?
  • The only thing left to do is to send the laptop back to us for repair. Or we could send you a replacement fan, if it happens that it’s a source of that noise, and if you think you could replace it by yourself.
  • Best regards

Well, I told them to send it with the missing usb-stick and I’m looking forward to it. And of course the Coreboot update. And the test of Qubes 4.0.

In restrospect, I would maybe recommend the Lenovo X1 Carbon (Which I use for work, actually) and the Qubes team uses too. Regarding hardware switches, Joanna actually commented on it regarding Qubes 4.0 that “Similarly, we don’t consider physical kill switches on Wi-Fi and Bluetooth devices to be mandatory”. So I guess, that running qubes and controlling the hardware to VM’s should suffice. And it’s cheaper than kill switches.

But, hey. The hype get’s you a long way, says an iphone user 😉

UPDATE 22/2-2018:

The coreboot is available, but the initial version is quite faulty, so updating will be a hassle. Be sure to get the latest Coreboot 4.7 v.3

February 2018 coreboot update now available

UPDATE  22/2-2018:

To make me feel even worse, Purism offered free TPM and International shipping on all NEW orders. So, even though my order is not quite finished, the answer to the question “Could I be included in this great offer, since my order is not yet fully received? was…

  • Only for new orders.

So there you go. $99 for the TPM and $80 for shipping and now I have to return the damn thing because of a faulty fan.

This thing is costing me more than the X1 Carbon I should have bought instead, it seems.

The most expensive kill switches in the world, and it doesn’t have a danish keyboard 🙂

UPDATE 7/3-2018

I shipped the thing back on the 1st of march and it hasn’t been delivered to Purism yet. I’m looking forward to see how long time it will be, from ordering a laptop to actually getting a working laptop. So far its’ been ….. quite some time…

UPDATE 9/3-2018:

  • After receiving the package at Purism, I inquired about when to expect the fan to be replaced and the answer was:
  • Hi Max,
  • It will probably take us 5-10 days. We’ll let you know as soon as we fix it.
  • Best regards

So, counting on approximately 3,5 months now and 4 months since initial order…

UPDATE 15/3-2018:

  • Hi Max,
  • We managed to fix your laptop. Could you send us your shipping address?

🙂 Of course. Keeping the costs down by saving on CRM systems is a great thing.

And now it’s almost shipped 😉

We have a very expensive public sector here in Denmark, so we have to make people pay the absolute maximum to get the show on the road. I must say, paying customs twice, because the same machine travels the border twice is just stupid.

UPDATE 20-03-2018

  • Hello Max Andersen,Your item is being held in Customs at 12:38 pm on March 20, 2018 in COPENHAGEN EMS, DENMARK.Tracking Number: XXXXXXXXXXXX

So when confronted with the customs yet again, I was send back and forth between FedEx and Customs 5 times before the issue is (maybe) resolved.

The Clearance Broker At fedex have now send an email to Customs and a few days will pass…..

If 2 days pass, We are officially 4 months from the order date. That is a huge fail.

UPDATE 21-03-2018

  • Hello Max Andersen,Your item cleared customs in DENMARK at 10:22 am on March 21, 2018.Tracking Number: XXXXXXXXXXXX

One day left for the 4 month mark…

UPDATE 27 March 2018

Customs(SKAT) has been very nice to me and explained that an error has occurred and that they will send me an email to send to postnord to sort things out. I was, wrongfully send a bill on DKK 460,- which should be annulled. (In Danish):

  • Hej.
  • Du kan sige til post-Nord at de kan indfortolde din reparerede computer med procedurekode 4000009.
  • Og henvise til udførselsangivelsens nummer samt momslovens paragraf 32, stk 3.
  • Det betyder for dig at du ikke skal betale noget udover gebyret til Post Nord.
  • (translated into english):
  • Hello.
    You can say to Post-Nord that they can process your repaired computer with procedure code 4000009.
    And refer to the export declaration number as well as section 32 (3) of the VAT Act.
    This means that you do not have to pay anything beyond Post Nord’s fee.

I called PostNord and they said that they disagree and their decision needs a lot of proof to change. I told them, that customs said it was ok, but no. They have the laptop, and within 2 weeks it will send it back if I dont pay up or prove them wrong.

I seriously doubt that Karma from dealing with a company in Trumps America could be the reason, but I wished I never bought the damn thing, right now.

Postnord should buy it if they want it so bad. Damn them.

Well, I send SKAT’s email to Postnord and let’s see if things will change. I won’t get my hopes up.

Let’s see where this tale will take us….

UPDATE: 2018-03-28

No news, and easter is upon us. Thank you postnord for your great CUSTOMER service..(?)

UPDATE:  2018-04-03:

PostNord has reconsidered my request and will talk to SKAT within the next few days. all of this is FedEx’ fault for not using the right code for sending out repairs to the US. That’s what you get for using a “professional” courier.

Looking forward until next update 🙂

UPDATE: 2018-04-04:

PostNord has informed me that SKAT misinformed me and I need to pay up. I disagree and contact SKAT and they need full information, since they do not believe me.

I have now used SKAT’s contact form to get in touch with the people there. They day I must pay up and try to get a refund afterwards. I say that I’m not paying twice, and if there was an error it must be corrected. It cannot be impossible to correct an error?

Thay say it is, but will need me to fill out the contact form. Maybe the shipment will return to Purism again. We’ll see.

UPDATE: 2018-04-05:

I gave up and payed PostNord, so let’s see how fast they can deliver the laptop. Postnord is unable to do anything sane, it seems. Errors can not be resolved. When an error has occurred, it is set in stone and can never be undone. Arrogant does not cover it.

And I’m going to contact FedEx and explain the pain they have caused and see if they man up and pay my expenses, I was taxed, due to their failure to expedite the package properly. Interesting.

UPDATE: 2018-04-11:

So, I received my laptop on the 9th, but didn’t have time before yesterday to test it and see if everything works. Apart from failing installation due to the selection of Danish keyboard layout, as you can see below, it wen’t fine.

Sadly I hurried to write to purism, since Kyle Rankin said it all wen’t smoothly out of the box, figuring if we installed the same OS, it must still be a hardware issue. It was the language selection. Don’t choose English(Denmark) during installation. The installation fails horribly as you can see above not creating any QVM’s, etc.

But after the kids wen’t to bed, and there was quiet, the fan began to bother me again. Not like the first rattling nois, but more like an old harddrive.  Just enough to annoy the **** out of me. Try and listen

I wrote Purism support and the answer was:

I tried the above and finding bios version  4.7-Purism-1, so the system needs updating. The system crashed repeatedly trying to update, and I had to write again to get help.

The help was fast, and it was a known issue and new directions were given:

The above worked, and qubes 4.0 installed perfectly.

Now it’s time to start using the damn thing.

UPDATE: 2018-04-22:

On the 21st of April I wrote support about still having a annoyingly noisy fan, and sadly the reply today was:

  • This is still being fine tuned within coreboot, new releases should improve thermal and fan performance. So at this point you can only wait for the new coreboot release, I’m afraid.

So, I guess I will have to wait. Again 🙂

UPDATE 2018-04-23:

Ok, so pipe doesnt work on default Librem13v2.  Alleged solution did not work for me. This solution did.

sudo setkeycodes 56 43

UPDATE 2018-05-08:

make it permanent

Enjoy.